Review of CWE-863: where the article gets authorization right, where it misleads, and key fixes for IDOR, JWTs, APIs, and policy design.